Method and system for NAND flash support in an autonomously loaded secure reprogrammable system

ABSTRACT

A system and method that enables secure system boot up with a restricted central processing unit (CPU). The system includes a memory, a segmenting device, and a security sub-system. The memory is a NAND flash memory with a block structure that comprises a guaranteed block and non-guaranteed blocks. The guaranteed block is guaranteed to be useable. A boot code is segmented into boot code segments and the boot code segments are stored separately in the guaranteed and non-guaranteed blocks. The security sub-system is configured to locate the boot code segments stored in the non-guaranteed blocks and validate them independently based on data in the guaranteed block. The security sub-system is further configured to assemble the boot code segments into the boot code and execute the boot code.

FIELD OF THE INVENTION

Certain embodiments of the invention relate to system security. Morespecifically, certain embodiments of the invention relate to a methodand system for NAND flash support in an autonomously loaded securereprogrammable system.

BACKGROUND OF THE INVENTION

In an increasingly security-conscious world, protecting access toinformation and/or to systems from unwanted discovery and/or corruptionis a major issue for both consumers and businesses.

The growth of system connectivity has been one of the major developmentsin recent years. Fewer and fewer systems are operating as stand-aloneboxes, and most of today's systems are increasingly becoming elements ofcomplex networks. This growth in networking allows improved performanceand increased flexibility. However, with this growth in systemdistribution, system security, and protection against unwanted accessand/or corruption, has become a major concern for systems owners and/oroperators. Many consumers and systems owners and/or operators may bevulnerable to unwanted access when the level of security provided withinthe system is insufficient for providing the appropriate protection. Inthat regard, many deployed systems, may incorporate the use ofarchitectures that enable and improve security management in order toprovide the necessary protection from unwanted access.

Many systems have dedicated security sub-systems, which in addition tomonitoring the system security throughout its operations, may alsofunction to ensure that the systems are initially loaded securely. Thesesystems may also comprise processing units, which may be required toperform general processing functions including, but not limited to,loading code and/or data, performing code validation, executing codeinstructions, and performing memory manipulations. If the system is tobe loaded securely, such processing unit need to be assured that it isexecuting clean code. Therefore, such processing unit may not be runningduring initial boot stages, and consequently, some of the functionalityprovided by the processing unit, including, but not limited to, memoryoperations, may not be available during early boot stages.

Secure system boot would require loading boot code sets that may bestored in memory. Some memory devices, including for example NAND flashmemory devices, may utilize block structure, wherein internal spacewithin these devices may be segmented into block causing data stored inthese memory devices that may exceed block size to be stored indifferent blocks. Also, with such memory devices, some of these blocksmay be unusable causing data stored in these devices to spannoncontiguous blocks at times. Typically such situations are remediedusing specific software operations that mask the internal storingdetails of these memory devices.

For example, a NAND flash memory, which may utilize internal blockstructure, may be arranged in block sizes from 8 k to 128 k (currently),and only the first block is guaranteed to be useable. When data isstored in NAND flash memory, and the size of data exceeds availablespace in a single block, the data may be stored in multiple blocks thatmay not necessarily be contiguous. A MIPS-based system incorporating aNAND flash memory for example may use specific software managementscheme to manage such NAND flash memory limitations. One such softwaremanagement scheme is Bad Block Management (BBM) wherein a mapping ofdifferent block locations associated with some data is maintained by asoftware application allowing the system to load the data as a wholeregardless of the detail of the storage within the NAND flash memory(which blocks are actually used to store the different parts).Therefore, an application such as BBM would mask the fragmented detailsof storage within a memory device such as a NAND flash memory allowingthe system to operate as if the data was being loaded as a whole.

Such approach, while practical in most situations, poses a problemduring secure system boots. As stated above, during early phases ofsecure system boots it may be necessary to prevent and/or limit theprocessing unit operation while the integrity and security of the systemis assured. It may be possible the boot code set necessary to allow thesystem to boot up and perform security operations during early phases ofsecure system boot may exceed the available area in such the guaranteedblock in the NAND flash memory, and some of this boot code set may bestored in other, non-contiguous, blocks. Without the processing unit,the software applications that would allow use of Bad Block Management,for example, may not be available. Therefore, security code that need beloaded to assure the system security and integrity may not be availablewithout the use of the processing unit that may not available duringthese early phases of secure system boots.

Further limitations and disadvantages of conventional and traditionalapproaches will become apparent to one of skill in the art, throughcomparison of such systems with some aspects of the present invention asset forth in the remainder of the present application with reference tothe drawings.

BRIEF SUMMARY OF THE INVENTION

A system and/or method is provided for an autonomously loaded securesystem, substantially as shown in and/or described in connection with atleast one of the figures, as set forth more completely in the claims.

These and other advantages, aspects and novel features of the presentinvention, as well as details of an illustrated embodiment thereof, willbe more fully understood from the following description and drawings.

BRIEF DESCRIPTION OF SEVERAL VIEW OF THE DRAWINGS

FIG. 1 is a block diagram illustrating an exemplary memory, inconnection with an embodiment of the invention.

FIG. 2 is a block diagram illustrating an exemplary memory storagesituation, in connection with an embodiment of the invention.

FIG. 3 is a block diagram illustrating an exemplary structuring of aboot code set within a guaranteed area of a NAND flash memory, which maybe utilized in accordance with an embodiment of the invention.

FIG. 4 is a block diagram illustrating an exemplary system with a NANDflash memory, which may be utilized in accordance with an embodiment ofthe invention.

DETAILED DESCRIPTION OF THE INVENTION

Certain embodiments of the invention may be found in a method and systemfor NAND flash support in an autonomously loaded secure reprogrammablesystem. Exemplary aspects of a method and system for ensuring securesystem boot, may comprise segmenting a boot code into various segmentsthat may be stored and validated separately. The segmented boot code maybe stored in a memory, such as a NAND flash memory 402. Since NAND flashmemory devices incorporate block structure, with only the first blockguaranteed to be usable, only some of the segments of the boot code maybe stored in the guaranteed area of the NAND flash memory. The segmentsstored in the guaranteed area of the NAND flash memory may compriseinformation that enable locating and validating remaining segmentsseparately. These remaining segments may not be stored in guaranteedareas of the NAND flash memory, and may be stored in non-contiguousblocks.

During secure system boots, a main CPU may be restricted while thesystem's security may be assured. A security sub-system may load theboot code necessary to perform system boot in a secure manner byfetching block 0 of the NAND flash memory, which is always guaranteed tobe usable, and using segments of boot code stored in block 0, theguaranteed area, to assemble the boot code. Using the segments in theguaranteed area may enable the security sub-system to locate each ofremaining segments of boot code that may be stored in other blocks ofthe NAND flash memory, and validate these segments separately.

FIG. 1 is a block diagram illustrating an exemplary NAND flash memory,in connection with an embodiment of the invention. Referring to FIG. 1,there is shown a memory device 100, a block (0) 102, a block (1) 104,and a block (n) 106.

The memory device 100 may comprise suitable logic, circuitry and/or codethat may enable storage of code and data. The internal space of memorydevice 100 is segmented into blocks; block (0), block (1), . . . , block(n).

In operation, the memory device 100 utilizes a block architecturewherein internal storage space within the memory device 100 is segmentedinto blocks; block (0), block (1), . . . , block (n). Only one block isalways guaranteed to be usable for storing. Block (0) is a guaranteedblock. Data and/or code stored in memory device 100 that may not fit inblock (0) are stored in one or more other blocks. Software management ofmemory may be needed to track and determine where specific data and/orcode may be stored (in which blocks).

FIG. 2 is a block diagram illustrating an exemplary memory storagesituation, in connection with an embodiment of the invention. Referringto FIG. 2, there is shown a memory device 202, a block (0) 204, a block(1) 206, a block (n) 208, a code set 210, a code set part (1) 212, acode set part (2) 214, and a code set part (3) 216.

The memory device 202 may comprise suitable logic, circuitry and/or codethat may enable storage of code and data. The internal space of memorydevice 202 may utilize block structure, and may comprise block (0) 204,block (1) 206, . . . , block (n) 208. The code set 210 may comprise aset of code instructions and/or necessary data that may perform a task.The code set part (1) 212 comprises critical data in connection withcode set 210. The code set part (1) 212 may comprise a sub-set of codeset 210, and may also comprise additional data, which may includeinformation that enables locating other code set parts, and may alsoenable validating each part of code set separately and independently.The code set part (2) 214 comprises a subset of code set 210. The codeset part (3) 216 comprises a sub-set of code set 210.

In operation, the memory device 202 performs as the memory device 100described in FIG. 1.

As demonstrated, the code set 210 may not fit completely into block (0)204, which is the only guaranteed block in memory device 202. The codeset 210 may be partitioned onto code set part (0) 212, code set part (1)214, and code set part (2) 216. The code set part (0) may be stored inblock (0) 204, which is a guaranteed area in memory device 202.

When code set part (0) 212 is loaded from block (0) 204, the criticaldata may be used to locate remaining parts of the code set 210—i.e.,code set part (2) 214 and code set part (3) 216. The critical data mayalso allow validating the code sub-set in code set part (1) 212, thecode set part (2) 214, and code set part (3) 216 independently andseparately. Therefore, accessing the guaranteed block, block (0) 204,would allow autonomous loading of code set 210—i.e., without use ofspecific software application to account for block structure of memorydevice 202.

FIG. 3 is a block diagram illustrating an exemplary structuring of asecurity code set within a guaranteed area of a NANO flash memory, whichmay be utilized in accordance with an embodiment of the invention.Referring to FIG. 3, there is shown a NANO flash memory 300, a block (0)302, a fixed boot sector (part 1) 306, a fixed boot sector (part 2) 308,a fixed boot sector (part 1) signature 310, a fixed boot sector (part 2)signature 312, a variable boot code sector key 314, a variable boot codesector size 316, a variable boot code sector (pointer 1) 320, a variableboot code sector (pointer n) 322, a variable boot code sector (part 1)324, and a variable boot code sector (part n) 326.

NAND flash memory 300 may comprise suitable logic, circuitry and/or codethat may enable storage of code and data. The internal space of the NANDflash memory 300 may utilize block structure, and may comprise block (0)302. Block (0) 302 may comprise the guaranteed block of the NAND flashmemory 300—i.e., the only block always guaranteed to be usable.

The fixed boot sector (part 1) 306, the fixed boot sector (part 2) 308,the boot sector (part 1) 324, . . . , the variable boot code sector(part n) 326 may cumulatively comprise the boot code set, which maycomprise instructions and/or necessary data that may allow booting up asystem and/or device and performing necessary security operations. Thefixed boot sector (part 1) signature 310 comprises information that mayallow validating the fixed boot sector (part 1) 306. The fixed bootsector (part 2) signature 312 comprises information that may allowvalidating the fixed boot sector (part 2) 308. The variable boot codesector size 316 may comprise information that may allow determining sizeof variable code set sector—i.e., combined sizes of all parts of thevariable boot code—i.e., the variable boot code sector (part 1) 324, . .. , the variable boot code sector (part 1) 326. The variable boot codesector (pointer 1) 320 comprises information that may allowing locatingthe variable boot code sector (part 1) 324—i.e., a block in the NANDflash memory 300 where the variable boot code sector (part 1) 324 isstored. The variable boot code sector (pointer n) 322 comprisesinformation that may allowing locating the variable boot code sector(part n) 326—i.e., a block in the NAND flash memory 300 where thevariable boot code sector (part n) 326 is stored.

In operation, block (0) 302 may be loaded autonomously because it is theguaranteed block in the NAND flash memory 300—i.e., block (0) 302 isalways usable. The fixed boot code sector (part 1) 306 may be validatedusing the fixed boot code sector (part 1) signature 310. The fixed bootcode sector (part 2) 308 may be validated using the fixed boot codesector (part 2) signature 312. The variable boot code sector, whichcomprises remaining boot code sector parts stored in the NAND flashmemory 300, but not in the block (0) 302, may be assembled by using thevariable boot code sector size 316, and the variable boot code sector(pointer 1) 320, . . . , the variable boot code sector (pointer n) 322,to locate the variable boot code sector (part 1) 324, . . . , thevariable boot code sector (part n) 326. The variable boot code sectormay be validated by using the variable boot code sector key 314. Oncethe variable boot code sector and the fixed boot code sector arevalidated, they may be combined to obtain the boot code set.

FIG. 4 is a block diagram illustrating an exemplary system with a NANDflash memory, which may be utilized in accordance with an embodiment ofthe invention. Referring to FIG. 4, there is shown a NAND flash memory402, a processor system 404, a main-CPU 406, and a security sub-system408.

The NAND flash memory 402 may comprise suitable logic, circuitry and/orcode that may enable storage of code and data used by the processorsystem 404. The processing system 404 may comprise a main-CPU 406, asecurity sub-system 408, and suitable logic, circuitry and/or code thatmay enable processing operations. The invention may not be limited to aspecific processor, but may comprise for example, a general purposeprocessor, a specialized processor or any combination of suitablehardware, firmware, software and/or code, which may be enabled toprovide NAND flash support for secure and autonomous boot code loadingin accordance with the various embodiments of the invention.

The main-CPU 406 may comprise suitable logic, circuitry and/or code thatmay enable said processing operations. The security sub-system 408 maycomprise suitable hardware, firmware, software and/or code, which may beenabled to provide security operations.

In operations, the NAND flash memory 402 operates similar to NAND flashmemory 300 described in FIG. 3. The processor system 404 may performvarious processing operations, which may include, but is not limited to,memory operations.

The security sub-system 408 may perform security operations thatrestrict and control the processor system 404 in certain securitysituation, including, but not limited to, secure and autonomous bootcode loading.

The security sub-system 408 may load code and/or data from theguaranteed block in the NAND flash memory. The security sub-system 408may load a boot code from the NAND flash memory. The security sub-system408 may assemble the boot code by loading the boot code sectors eitherdirectly from the guaranteed block of the NAND flash memory, or by usingthe pointers stored in the guaranteed block to locate the parts storedin non-guaranteed blocks. The security sub-system 408 may use thesignatures stored in the guaranteed block to validate the code setsectors separately. The security sub-system may execute the boot code toassure system security and integrity.

Various embodiments of the invention may comprise a method and systemfor ensuring secure system boot, and may comprise segmenting a boot codeinto various segments that may be stored and validated separately. Thesegmented boot code may be stored in a memory, such as a NAND flashmemory 402. Because NAND flash memory devices incorporate blockstructure, with only the first block guaranteed to be usable, only someof the segments of the boot code may be stored in the guaranteed area ofthe NAND flash memory 402. The segments stored in the guaranteed area ofthe NAND flash memory 402 comprise information that enable locating andvalidating remaining segments separately. These remaining segments maynot be stored in guaranteed areas of the NAND flash memory 402, and maybe stored in non-contiguous blocks. During secure system boots, the mainCPU 406 may be restricted while the system's security may be assured. Asecurity sub-system 408 may load the boot code necessary to performsystem boot in secure manner by fetching block 0 of the NAND flashmemory 402, which is always guaranteed to be usable, and using segmentsof boot code stored in block 0, the guaranteed area, to assemble theboot code. Using the segments in the guaranteed area may enable thesecurity subsystem 408 to locate each of remaining segments of boot codethat may be stored in other blocks of the NAND flash memory, andvalidate these segments separately.

Accordingly, the present invention may be realized in hardware,software, or a combination of hardware and software. The presentinvention may be realized in a centralized fashion in at least onecomputer system, or in a distributed fashion where different elementsare spread across several interconnected computer systems. Any kind ofcomputer system or other apparatus adapted for carrying out the methodsdescribed herein is suited. A typical combination of hardware andsoftware may be a general-purpose computer system with a computerprogram that, when being loaded and executed, controls the computersystem such that it carries out the methods described herein.

The present invention may also be embedded in a computer programproduct, which comprises all the features enabling the implementation ofthe methods described herein, and which when loaded in a computer systemis able to carry out these methods. Computer program in the presentcontext means any expression, in any language, code or notation, of aset of instructions intended to cause a system having an informationprocessing capability to perform a particular function either directlyor after either or both of the following: a) conversion to anotherlanguage, code or notation; b) reproduction in a different materialform.

While the present invention has been described with reference to certainembodiments, it will be understood by those skilled in the art thatvarious changes may be made and equivalents may be substituted withoutdeparting from the scope of the present invention. In addition, manymodifications may be made to adapt a particular situation or material tothe teachings of the present invention without departing from its scope.Therefore, it is intended that the present invention not be limited tothe particular embodiment disclosed, but that the present invention willinclude all embodiments falling within the scope of the appended claims.

What is claimed is:
 1. A method comprising: segmenting a boot code intoa plurality of boot code segments; storing the boot code segments in aguaranteed block and non-guaranteed blocks, which are not guaranteed tobe used, of a memory; executing code located in the boot code segmentsstored in the guaranteed block; locating the boot code segments storedin the non-guaranteed blocks based on the executed code; validating thelocated boot code segments based on the executed code; assembling theboot code using the validated boot code segments; and executing theassembled boot code.
 2. The method of claim 1, wherein the storing ofthe boot code segments in the guaranteed block comprises storing theboot code segments in a memory location that is guaranteed to beuseable.
 3. The method of claim 1, wherein the storing of the boot codesegments in the non-guaranteed blocks comprises storing the boot codesegments in non-contiguous blocks of the memory.
 4. The method of claim1, further comprising using NAND flash memory as the memory.
 5. Themethod of claim 4, wherein a first block of the NAND flash memory isused as the guaranteed block.
 6. The method of claim 1, wherein thevalidating comprises validating the boot code segments usinghardware-based signatures.
 7. A system comprising: a segmenting deviceconfigured to segment a boot code into a plurality of boot codesegments; a memory configured to store the boot code segments in aguaranteed block and non-guaranteed blocks; and a security sub-systemconfigured to: execute code located in the boot code segments stored inthe guaranteed block; locate the boot code segments stored in thenon-guaranteed blocks based on the executed code; validate the locatedboot code segments based on the executed code; assemble the boot codeusing the validated boot code segments; and execute the assembled bootcode.
 8. The system of claim 7, wherein the guaranteed block is apredefined location in the memory that is guaranteed to be useable. 9.The system of claim 7, wherein the non-guaranteed blocks arenon-contiguous blocks in the memory.
 10. The system of claim 7, whereinthe memory is a NAND flash memory.
 11. The system of claim 10, wherein afirst block of the NAND flash memory is the guaranteed block.
 12. Thesystem of claim 7, wherein the boot code segments are validatedindependently using hardware-based signatures.
 13. The system of claim7, wherein the boot code segments comprise a fixed sector and a variablesector.
 14. A system comprising: means for segmenting a boot code into aplurality of boot code segments; means for storing boot code segments ina guaranteed block and non-guaranteed blocks which are not guaranteed tobe used, of a memory; means for executing code located in the boot codesegments in the guaranteed block; means for locating the boot codesegments in the non-guaranteed blocks based on the executed code; meansfor validating the located boot code segments based on the executedcode; means for assembling the boot code using the validated boot codesegments; and means for executing the assembled boot code.